Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Starts Bug Bounty Program

Posted by CowboyNeal on from the problem-reports-that-pay dept.

AnamanFan writes "The Mozilla Foundation announced the Mozilla Security Bug Bounty Program, an initiative that rewards users who identify and report security vulnerabilities in the open source project's software. Sponsered by Linspire, Inc and Mark Shuttleworth, the program will give $500 to users who report a significant bug in Mozilla software. Users who identify security bugs in Mozilla software are encouraged to go to the Security Projects Page for more information."

8 of 194 comments (clear)

  1. Re:I'll stick my neck out by Anonymous Coward · · Score: 0, Informative

    A lot is two words.

  2. Re:I'll stick my neck out by ajrs · · Score: 2, Informative
    I'll chop it off for you. You might want to check out this link about TeX, which has had a bounty for decades.


    I think you might have confued bragging with desperation.

  3. Re:I wonder if he's kicking himself... by Anonymous Coward · · Score: 1, Informative

    The initial bug report was made almost three years ago, marked confidential, and ignored. He was far too late to claim the bounty on that particular bug.

  4. Re:I wonder if he's kicking himself... by Anonymous Coward · · Score: 1, Informative

    The "bug" was known for 5 years. It's not so much of a bug as it is an exploit though. That being said there are several defaults that definitely need to be changed. I'm glad they're starting a program like this, it's bound to make mozilla a more secure package overall. If for no other reason than if a bug is found it'll be reported rather than hidden and used for malicious purposes later on.

  5. Mark Shuttleworth by FleaPlus · · Score: 2, Informative

    As a reminder, Mark Shuttleworth is the Internet entrepreneur who was the second space tourist. It's really quite cool to see him taking an interest in helping Mozilla.

  6. Re:Lousy deal by jesser · · Score: 2, Informative

    I don't like the wording in the press release either. The Bug Bounty FAQ makes it more clear, but still leaves a lot of information out.

    Bugs that will get the bounty:

    * Arbitrary code execution without user interaction.
    * Reading files with known names from the user's hard drive without user interaction.
    * Reading cookies or stored passwords for other sites without user interaction.

    For bugs that require some user interaction to exploit, human judgement is required, hence contest judges.

    Bugs that will not get the bounty:

    * Temporary DoS, such as crashing or hanging the browser.
    * Exposure of browsing history.
    * Local file detection.

    I don't know what would happen with a bug whose severity is between those listed as ineligible and those listed as eligible.

    For what it's worth, about half of the security holes I've reported in Mozilla had the necessary severity (code execution, cookie read, file read). Many of those holes those required user interaction, though. It might be interesting to ask the judges which of my security holes would have been eligible had I reported them after 2004-08-02, to get a better idea of what they consider eligible.

    --
    The shareholder is always right.
  7. It's a bribe!!! by Anonymous Coward · · Score: 1, Informative

    I guess Mozilla is afraid now that holes are starting to be found in their browser too, proving that just moving to a new browser isn't the answer that everyone has been preaching.

    Rather than have people find the holes and exploit them they figure "Why not try to pay the people who find them so they won't exploit them?" That's pretty lame!

    Why not give up your lunch money while you're at it!!!!

  8. Re:We will probably never get to see them by HadMatter · · Score: 2, Informative

    So what, you'd rather give the black hats every courtesy to help them come up with an exploit before the developers can come up with a fix?

    Quoting from the Mozilla Security Bug Bounty FAQ,

    If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?

    No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling Mozilla security bugs. Under this policy security-sensitive bug reports in our Bugzilla system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).

    So, yes, the Mozilla Organization would prefer that the developers get a reasonable chance to fix security bugs before anyone else, you know, like black hats, learns about them. They are also realists: the reporter could have told the world to begin with, so there's nothing to stop them from doing the same later. Knowing that, it only makes sense to plan on keeping confidentiality only for a limited time. If you read handling Mozilla security bugs it is clear that they grok.